Doh! Packet sampling theory link: http://www.sflow.org/about/sampling_theory.php
-----Original Message----- From: Chris Moore Sent: vendredi 16 juin 2006 11:01 To: [email protected] Subject: RE: [Ntop] Vlan Report Sorry, that's Sampled Netflow. I think you might already have it (not a lot of experience w/ the big Cisco switches - we use Foundry): http://www.cisco.com/en/US/tech/tk812/tsd_technology_support_protocol_ho me.html http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_ guide09186a00801a7618.html Here's some good stuff about sampling. It's about sFlow but is just as applicable to Netflow. The jist of it is that over the long term, sampling is pretty darn accurate as long as you're not looking for specific packets that come in ones and twos. Right now, Ntop doesn't do the multiplying for you, but if you're sampling 1 in 64 packets, just multiply whatever Ntop says by 64. I discussed adding multiplier functionality into Ntop awhile back with Luca with respect to sFlow. Dunno if this is still on his roadmap or not. Use the Netflow plugin in Ntop and see back traffic discussing both NetFlow and sflow. C -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Weid Sent: vendredi 16 juin 2006 10:29 To: [email protected] Subject: RE: [Ntop] Vlan Report What is that? Is it freeware? Network General has been trying to sell me the infinistream but it is VERY pricy. http://www.networkgeneral.com/Products_details.aspx?PrdId=20046117180712 &CatId=1 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Moore Sent: Friday, June 16, 2006 9:26 AM To: [email protected] Subject: RE: [Ntop] Vlan Report On second thought, that sounds like a job for asmpled NetFlow! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Moore Sent: Friday, June 16, 2006 10:22 AM To: [email protected] Subject: RE: [Ntop] Vlan Report Ah, well that's easy. All you need is a 10-gig NIC and a box that will support it! Oh, and a 10-gig card for that Cat. Linux and Ntop aren't so free anymore, are they? ;-) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Weid Sent: Friday, June 16, 2006 10:12 AM To: [email protected] Subject: RE: [Ntop] Vlan Report Yea that makes sense. My problem is we run the big Cat 6000 series Cisco switches and are currently configured for 2gb uplinks. We will move these up to 8gb in a couple of weeks. Even if the uplinks go to 50% capacity it overruns the speed of my monitoring link. Like trying to drink from a firehose. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Moore Sent: Friday, June 16, 2006 9:04 AM To: [email protected] Subject: RE: [Ntop] Vlan Report Well, yes and no. You definitely need to make sure you have the right hardware and know your network to do it. Watch two things - one, if you have a lot of ports mirrored to a single monitoring port make sure you're not exceeding the capacity of that mirrored link. Once you're straight here, watch your dropped packets under Summary > Traffic. A couple percent is no big deal, but if you're getting into double-digits then you need to do some optimizations and/or hardware upgrades. Your NIC is important to. IIRC the dropped packets stat will not reflect packets dropped by the NIC. That old NIC in the back of the drawer is fine for monitoring a T1 router, but if you're getting into a busy gig link you need to find a good one. I did some research awhile back (forget where) and concluded that I needed to be using 64-bit PCI NICs from SysKonnect. I have no affiliation with them, but they do seem to be very good. Obviously this requires a MB with 64-bit PCI. Monitoring a busy gig link is definitely not a job for an old clone! _________________________________________ Chris Moore Senior Network Engineer Guardian Mortgage Documents 303-942-2019 emergency (GMD Help Desk): 303-942-2002 [EMAIL PROTECTED] ********************************************************************** Confidential/Proprietary Note The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. Thank you. Guardian Mtg Documents, Inc. 225 Union Boulevard, Suite 200 Lakewood, CO 80228. ********************************************************************** _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
